How to login in EC2 instance with non ec2-user

amazon ec2

How to login with non ec2-user account in amazon linux ami?

#useradd -m sample
#passwd sample
set password

#cat /etc/passwd
sample:x:508:1002::/home/monitor/sample:/bin/bash

# cat /home/monitor/sample/.ssh/authorized_keys
command="echo 'Please login as the ec2-user user rather than root
user.';echo;sleep10"    ssh-rsa xxxxxxxxx

# chown -R sample /home/monitor/sample/.ssh

I copied /root/.ssh/authorized_keys to the new user's .ssh directory also

At login time server says 'server refused our key' and no supported authentication method available popup.

How to associate sample with my existing key pair?

Best Answer

Instead of copying /root/.ssh/authorized_keys you should be copying /home/ec2-user/.ssh/authorized_keys to the new user's authorized_keys file. You'll also want to make sure the permissions are set correctly.

For example:

rsync -a /home/ec2-user/.ssh /home/monitor/sample/
chown -R sample:sample /home/monitor/.ssh

Related Solutions

Ssh – AWS Amazon EC2 – password-less SSH login for non-root users using PEM keypairs

Ok, no responses saying that this is hideously exposed in any way, except for the fact that if someone gets into the user login, they get the user's PEM key. Which shouldn't let them get anywhere else*.

It is working with the above approach.

*Usual caveats apply

Ftp – EC2 FileZilla login OK but no write or delete access

You have mentioned (and possibly confused) a few different things - so your objective isn't quite clear, unfortunately.

SFTP - there is no such thing as 'passive SFTP' - the SFTP protocol is completely different from FTP and is handled by /usr/libexec/openssh/sftp-server (set in /etc/ssh/sshd_config) not vsFTPd
Apache .htaccess files have nothing to do with FTP - they define rules for how your web server will deliver content (i.e. to a visitor of your website).
Are you trying to use FTP to SFTP?
Are you trying to serve websites from /home/admin, /home/ec2-user, etc? On Amazon's Linux the default web root for Apache is /var/www/html. Typically, you will add your content there, or you have to change the DocumentRoot in httpd.conf.

vsFTPd can be setup to use local users. To do so:

set local_enable=YES and chroot_local_user=YES (vsftpd.conf)
create your system user (useradd) (with /sbin/nologin as the shell) - the user will be restricted to their home directory (the chroot directive above)
set the password (passwd)
Restart vsftpd for the config changes to take effect
Login via FTP (not SFTP)

For SFTP (not using vsftpd!):

Append /usr/libexec/openssh/sftp-server to /etc/shells
Create a new user with the shell /usr/libexec/openssh/sftp-server
Set the password for your new user
Login via SFTP. You won't be restricted to your home directory here, but will not be able to write to locations where your user doesn't have permissions

Now for the permissions issue you are facing:

Firstly, do NOT go and change the permissions or ownership on files just because you can't write to a directory. Most directories are owned by root, and only writeable by the owner.
For a web server, keep your permissions restrictive - 644 (rw-r--r--) or less - (group and other should not need write permissions; and no one should need execute permissions in most cases)
Set your file ownership to the same as the user your web server is running as if you use dynamic files (e.g. PHP).

Your options therefore are:

Serve files from your user's home directory (instead of /var/www/html) - keep your user chrooted, and set the DocumentRoot in httpd.conf to point to the correct path. This is a good (secure) approach, but the typical change that is made is to set the user's home directory to a path under /var/www/html (e.g. for multiple people with their own sites, /var/www/html/USERNAME - with the DocumentRoot set accordingly)
Give your Apache user FTP/SFTP access - it sounds reasonable, but especially using FTP is insecure.
Use SCP and switch your user to root (sudo) - it has its uses, but not for saving files to a web server directory - all files created are owned by root

My recommendation would be SFTP with a certificate, and your home directories under /var/www/html

The specific commands for adding an SFTP user on Amazon's Linux:

Disclaimer: it is much more secure to use certificates than passwords - and you should keep PasswordAuthentication disabled.

#Add the shell
echo /usr/libexec/openssh/sftp-server >> /etc/shells

#Create a user with the shell, I have not setup a home folder
useradd -M -s /usr/libexec/openssh/sftp-server USERNAME

#Set the password
passwd USERNAME

Edit /etc/ssh/sshd_config:
Change: PasswordAuthentication no to PasswordAuthentication yes (line 69), save and quit

#Restart SSH
service sshd restart

To restrict your user to one directory (i.e. chroot):

Since the sftp-server will not be in your chroot path, we need to change it: Change (in sshd_config):

Subsystem      sftp    /usr/libexec/openssh/sftp-server

To:

Subsystem     sftp   internal-sftp

Add the following to the end of your sshd_config (replace the path with, for instance, /var/www):

Match User USERNAME
    ChrootDirectory /path/to/restrict/to
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand internal-sftp
Match

Restart SSH:

service sshd restart

Best Answer

Related Solutions

Ssh – AWS Amazon EC2 – password-less SSH login for non-root users using PEM keypairs

Ftp – EC2 FileZilla login OK but no write or delete access

Related Topic